Debugged Weekly: September 27th — October 7th
This week: Yahoo, National Cybersecurity Awareness Month, Vice Presidential Debates, WikiLeaks, and more!
Debugged Weekly is a round-up of news at the intersection of tech and policy
National
Yahoo Breaking News:
Summary: The Yahoo Data breach of 500 million accounts has just become increasingly more complicated. Reuters has released a report claiming Yahoo last year wrote a customized software platform in order to search customer’s incoming emails for specific information provided by U.S. intelligence officials. The allegations entail the company complying with a classified U.S. governmental directive in order to scan emails on behalf of the National Security Agency or FBI. Surveillance experts are claiming this as the first case in which a U.S. Internet Company has agreed to a spy agency’s demand of scanning messages. Reuters reported it is unknown what information intelligence officials were looking for, only that Yahoo was required to search for a set of characters within their system. It is unknown as to whether or not other email providers were approached with this request.
Why it Matters: Although it is widely known that U.S. phone and Internet companies have collaborated with the intelligence community in the past, this is the first instance in which real-time Web collection occurred through a deliberately coded computer program. With this in mind, the Foreign Intelligence Surveillance Act of 2008 gives the intelligence community the ability to access U.S. phone and Internet company’s customer data in order to aid intelligence gathering efforts related to national security and terrorism. The depth and magnitude of these kinds of mass surveillance have been recently revealed to the American peoples through whistleblowers such as Edward Snowden. Although companies such as Yahoo and Google can challenge these demands, they must do so in front of a secret tribunal called the Foreign Intelligence Surveillance Court. Furthermore, these directives will only become more prevalent with the increasing use of encryption. For companies such as Yahoo, fighting against these kinds of directives has proven to be difficult. With this in mind, the discreetness of the matter and the decision to not contest the most recent directive has led to further criticism. Reuters claims the program was discovered by Yahoo’s security team in May 2015; initially believing the code to have been written by hackers.
Who Should Care: Citizens, Privacy community, U.S. intelligence community, tech companies, U.S. government.
N.S.A. Contractor Arrested:
Summary: Yesterday, the New York Times released a breaking news story that the FBI has arrested a National Security Agency Contractor due to allegations of stealing highly classified NSA computer codes used to hack into the network of foreign governments. The source code believed to be stolen has been responsible for many of the agencies most sensitive cyber operations against adversaries like Russia, China, Iran, and North Korea. The contractor allegedly was working for the consulting firm Booz Allen Hamilton -the same consulting firm as Snowden. It is not known if this incident is connected to the ShadowBrokers release of NSA Hacking weapons this past August. It is unclear as to exactly how this may compromise the NSA,
Why it matters: As this is the second contractor in three months who has exposed highly sensitive information of surveillances programs from the United States Government, this information raises concerns of security both within and outside of the N.S.A’s network operations. Further, the amount of sensitive information released over the past few months could lead to compromising the effectiveness of the NSA in the future.
Who should care: U.S. Government, U.S. intelligence community, International community, U.S. citizens.
National Cybersecurity Awareness Month:
Summary: This past Friday, President Barack Obama issued a Presidential Proclamation naming October 2016 as National Cybersecurity Awareness Month (NCAM). This announcement acknowledges technology’s role in our daily lives and highlights the importance of securing individual information against cyber threats. Over the past year, the administration has taken numerous measures in order to strengthen cybersecurity both domestically and internationally. From the creation of the Cybersecurity National Action Plan, the implementation of the Federal Chief Information Security Officer position to the establishment of a Commission on Enhancing National Cybersecurity, the Obama administration has been attempting to push cybersecurity policy further than ever before. As part of the awareness campaign, the National Cyber Security Alliance will focus on different digital security themes throughout the month. The first theme focuses on the Department of Homeland Security’s “Stop. Think. Connect” campaign. Through the declaration of a Cybersecurity Month, the Obama administration intends to continue encouraging cybersecurity a top priority for the United States.
Why it matters: As cybersecurity is a universal matter, the creation of National Cybersecurity Awareness Month will help to further promote education and awareness of individual cyber-rights and prevent further cybersecurity issues both in the public and private sector. From Internet companies, to governments and everyday citizens, we must all do our part in increasing the security of our individual and collective networks.
Who Should Care: Everyday citizens, companies, politicians, U.S. Government, Democrats, Republicans, technology companies, and U.S. intelligence communities.
Trump’s Cyber Speech:
Summary: A few days ago in Philadelphia, Presidential Candidate Donald Trump addressed issues relating to national security. Within his speech, Trump further discussed issues relating to cybersecurity in a more detailed manner than the first presidential debates. Trump notes his first directives as president would be to “conduct a thorough review of all United States cyber defenses and identify all vulnerabilities”. Further claiming the United States should be more open about its offensive cyber capabilities. If elected president, Trump would require relevant federal departments to submit a plan addressing vulnerabilities in the country’s power grid, communications, and infrastructure. He also notes that investing within tech sectors could in fact help create new jobs for the American peoples. This has been the most detailed response so far relating to the candidate’s policies on cybersecurity.
Why it matters: Although Presidential Candidate Hillary Clinton has discussed these issues long before Trump’s address; it is refreshing to hear cyber at the forefront of both candidates policy approaches this election season. The amount of cyber-related incidents each political candidate has experienced this election determines how deeply cybersecurity matters.
Who Should Care: Voters, U.S. Government, Democrats, Republicans, U.S. intelligence communities, International politicians.
The Vice Presidential Debates:
Summary: Three days ago was the Vice-Presidential Debates, held in Longwood University in Farmville, Virginia. As much of the spotlight has focused on the individual candidates this election season, many Americans were introduced to Democrat Tim Kaine and Republican Mike Pence for the first time. As expected, the candidate’s running mates comprehensively spoke about U.S. policy and their competing visions for America’s future. Surprisingly, the debate held minimal coverage on cybersecurity in America. Here’s a breakdown of each individual candidate:
Democrat Senator Tim Kaine: Out of the two debaters last night, Kaine has discussed cybersecurity in further detail throughout his political career. Before his appointment as Hillary Clinton’s running mate, Kaine focused on cybersecurity, cyber-related jobs and the military’s role in cyberspace. His position in the Senate Foreign Relations and Senate Armed Services committees have exposed him to U.S. governments relationship to cyberattacks and cybersecurity measures both domestically and internationally. Furthermore, Kane was implicated in the Guccifer 2.0 hacks, which released many of his personal emails. Last night, Kane was immensely vocal about the negative repercussions of Trump’s comment on Russian hacking of Hillary Clinton’s emails. Furthermore, Kaine and fellow Virginia Senator Mark Warner introduced a bill offering identity theft protections to victims of the OPM hack. As a result, Kane held a strong foundational understanding of cybersecurity policy leading up to the debate. Last night, Kaine discussed the idea of creating a partnership with private-sector cyber firms in order to bolster cybersecurity in America. Kaine noted “”We’ve got some of the best intelligence and cyber employees in the world working right here in the United States for many of our private-sector companies”. Further, Kaine noted the plan must include “striking great partnerships with some of our cyber and intel experts in the private sector”.
Republican Senator Mike Pence: Pence does not hold much experience in the area of cybersecurity. His political career has consisted has focused cybersecurity within the context of economics. Although Pence has mentioned state based cyber-attacks should face consequences, he has not clarified his stance on a domestic and/or international response. Pence has been extremely vocal about his distaste for Hillary Clinton’s emails, but was understanding in the context of combatting cyber-related analysis in last night’s debate. Last night, when the topic of cybersecurity was approached, both candidates agreed on the necessity of bolstering cybersecurity in America. Pence commented last night; “we have got to bring together the very best resources for this country to understand that cyber warfare is the new warfare of the asymmetrical enemies that we face in this country”. More often than not, Pence used cyber within the debates to attack Hillary Clinton’s emails during her time as secretary of State. Pence further pushed this topic indicating that the “best way to ensure federal government cybersecurity would be to keep the next secretary of State from having a private server”. Although the debate on cyber centered largely on this issue, both candidates fundamentally agreed on the necessity to work with one another in order to increase funding and support for cyber initiatives.
Why it matters: Last night functioned as an opportunity for VP Candidates to dig into the international politics and cybersecurity policies of the Presidential Candidates this election season. Albeit brief, cybersecurity was mentioned and discussed.
Who Should Care: Voters, U.S. Government, the international community.
DHS Response to Increased State Voting Security:
Summary: The Department of Homeland Security (DHS) released a statement this Friday claiming the state voter registration systems and networks have been probed by hackers in more than 20 states. The statement strengthens the concern that electoral systems are in fact vulnerable to hacking this election season. As this topic is sensitive in nature, the DHS has not released details regarding how, and to what extent, the election systems have been probed but acknowledges the intrusion attempts as “probing of concern”. Furthermore, the DHS has not pinpointed the malicious actors involved in nor whether or not manipulation of data was involved. Although probing is considered low-level cyber activity, it still reinforces concerns about the infrastructure and network systems on state based election systems. In a report released by The Hill, the DHS Chief has noted that 21 States have sought “cybersecurity assistance” over hackers accessing electoral systems. Homeland Security Secretary Jeh Johnson has urged state elections officials to boost their cybersecurity defenses in the upcoming elections. In the article, Johnson notes ““Before November 8, I urge state and local election officials to seek our cybersecurity assistance. So far, 21 states have contacted us about our services. We hope to see more”. Although the bipartisan letter and Johnson’s statement do not mean that states must submit to additional federal regulations, it acts as a warning to conduct better “federal hygiene” as soon as possible.
Why it matters: In recent months, malicious cyber actors have been scanning a large number of state systems, emails, and critical infrastructure. Johnson notes this could be the lead up to a possible attempts of network intrusions. In order to protect our election systems, states must take the necessary precautions in ensuring their networks and infrastructures are not vulnerable to attacks.
Who Should Care: Voters, U.S. Government, Democrats, Republicans, the US Intelligence Community.
ICANN News Update:
Summary: This Saturday, The United States Government handed over responsibility for the Internet’s domain name system (DNS) to ICANN. Although this decision was met with critical debate, the Obama Administration assured that placing power in the hands of a multi stakeholder model will foster an open and more transparent Internet. Growing concerns from the opposition have claimed that this decision may lead to increased governmental censorship around the world. With this argument in mind, ICANN released a statement countering these assertions: “ICANN is a technical organization and does not have the remit or ability to regulate content on the internet… that is true under the current contract with the US government and will remain true without the contract with the US government”. ICANN and the U.S. Government have ensured that the multi stakeholder model of internet governance will guarantee openness, freedom and accessibility of the internet. Furthermore, the Internet Governance Coalition, which comprises of organizations such as Facebook, Google, Microsoft and Verizon, have expressed approval of the United States Government’s decision.
Why it matters: The transfer of responsibility to ICANN has been said to promote an independent judicial branch of Internet governance by empowering community accountability. Furthermore, transparency will be bolstered by strengthening public access to inspect ICANN documents, accounts and record.
Who should care: Internet users, U.S. Government, Democrats, Republicans, The US Intelligence Community, the international community.
International
WikiLeaks Conference:
Summary: WikiLeaks held a press conference yesterday in honor of the organizations 10th year anniversary. The founder, Julian Assange was intending to release information regarding Hillary Clinton’s Presidential campaign but this greatly-anticipated information disclosure was postponed. Assange instead, promised the release of documents in the near future which intends to include information “affecting three powerful organizations in three different states, as well as, of course, information previously referred to about the U.S. election process”. Assange claims documents would be published every week for the next ten weeks before Election Day. Attempting to de-bunk the mysticism in which Assange is intentionally trying to harm Hillary Clinton’s chances this election season, he notes the information intending to be released “show[s] interesting features of us power factions and how they operate”.
Why it matters: Although the contents of the documents have not yet been released, it could possibly affect public opinion of the United States elections.
Who should care: American Voters, U.S. Government, Democrats, Republicans, The US Intelligence Community.
WhatsApp: Data Sharing and Privacy in Europe:
Summary: WhatsApp has been intending to update their terms and conditions in Europe for quite some time -in which user data would be shared with its partner company, Facebook. Last week, Facebook was ordered to stop harvesting data on WhatsApp users in Germany by the Hamburg city DPA. The DPA believed the changed terms and conditions to be misleading to users and breach of national data protection law. This decision has made other countries begin questioning whether or not WhatsApp was being transparent with users about the sharing and use of their data. The new terms and conditions state that user data from the application, including mobile numbers, would be shared with the “Facebook family of companies” for marketing and ad targeting purposes.
Why it matters: Although WhatsApp’s data sharing has raised concerns amongst privacy advocates in Europe, it has also raised concerns in the European Commission. The question of EU-wide regulation and policy for data sharing has become a part of the discussion due to WhatsApp’s activities in Europe.
Who should care: The European Union, European Commission, European countries, European citizens, European law enforcement.
European Export Control Policy Under Consideration:
Summary: The European Union has begun talks amongst its member states to adapt new roles on cybersecurity and surveillance. The Export control policy review addresses many of the controversies surrounding international export control of militarized spyware and deconstructs the role of the Wassenaar Agreement in European countries. Historically, the Wassenaar Agreement is an administrative document designed to control the export and import of physical weapons and technologies that have potential military applications. The agreement worked with 41 members in order to cover dual-use technologies (including surveillance software) in order to keep particular technologies out of the hands of authoritarian states. Today, the agreement has been critiqued for slowing down the export of legitimate, critical network security testing products, stifle international presentations of research and, hinder necessary cybersecurity practices worldwide. Like the United States, the European Union is looking into changing their terms of the agreement for export control policy. As a result, the European Commission will decide upon terms of review in mid-October. The Commission will use the results of a public consultation in order to identify the most suitable regulatory and non-regulatory actions and decide whether or not to propose amendments.
Why it matters: The EU’s intention is to create tighter rules for the export of dual-use technologies from its jurisdiction, indicating some important changes for the cyber -technology industry and cyber- surveillance technologies. If the European Parliament decides to adopt the proposed amendment, this will require cyber companies with the relevant listed dual-use items to begin obtaining export licenses and follow additional procedural requirements in Europe.
Who should care: The European Union, European Commission, European countries, European cyber companies, International community.
